If you only want to ask for offline access and additional scopes for certain users then you should make an additional authentication/authorization request. The additional request is unavoidable because you want to request more scopes and also a new type of access (offline), however, assuming the user already authenticated once then this can be made in a way that the user does not have to actually authenticate (provide credentials) again.

The user will be required to allow the additional permissions at Google, but there should be no need to authenticate.

In order to request offline access with Google you’ll need to include an additional parameter in the request to the /authorize endpoint at Auth0, more specifically, access_type=offline. In order to include additional scopes you can include a second parameter connection_scope that will allow you to specify which further scopes should be requested at Google. Finally, if you also include a connection parameter for the Google connection you can be redirected automatically to Google as long as the user as a session at Auth0.